Cybersecurity for the Hospitality Industry

The hospitality industry has been under the continual target of cybercriminals. The compromised reservation system of The Marriott Hotel chain owing to internal security opened gates for threat actors back in 2018. The root cause and the attack point were found to be the systems of an acquired company, Starwood hotels whose computer systems were still not migrated to that of Marriotts due to many internal reasons. An easy spot to attack and that is exactly what happened.

A cyber-attack like this can pose major losses to the organization like loss of revenue due to lawsuits, penalties, and customers being compensated. Not to mention the indirect costs of customers leaving the company and loss of goodwill, decline in brand value, dropping share values, huge financial ramifications.

So what does it take to realize the importance of cyber security, to be aware of the kinds of attacks and prevent this kind of a massive cyber-attack in a highly vulnerable industry like hospitality? Let us read through to find out:

Significance of Cybersecurity in hospitality :

It is critical to realize the importance of cyber security in an industry like hospitality as the vulnerabilities are high. Below are a  few reasons why it is high time to give Cyber security the highlight it deserves:

  • Increasing awareness on cyber security with increasing cyber-attacks in the industry: With several attacks around the world like the Marriott Hotel case being in news constantly, cyber security in hotels has achieved a new spot in the limelight. The examination of the internal security of the hospitality industry in the eyes of the consumers, legal system, and regulating bodies has been extreme. Several terms like exclusive IT and security programs, annual data security audit, post-incident examination have become common after 2015 when the industry faced several data threats and breaches. Apart from this, the consumers of this industry have been given an adequate amount of counseling on the amount of caution to be practiced during traveling.
  • With this kind of situation, it can be said that mere compliance is barely sufficient anymore and a well-planned cyber risk management strategy has become a prerequisite. Thus, if you have been thinking of upscaling your Cyber risk management and giving it a bit more importance than it deserves, this is the right moment.

  • Conserving brand health and consumer trust: It can be said that goodwill, trust of customers and patrons are part of crucial resources for the hospitality industry. In hospitality, trust and confidence are brand health, and not safeguarding it is a sure-shot way for downfall. Due to changes in the nature and value of data, the security or privacy breach may not be immediately apparent or its effects felt explicit. Most often, the harm is hidden until it is too late. This leads to legal risks and regulatory risks in addition to affecting brand health and loss on patrons.

  • Significant Regulatory complications: In the event of a cyber-attack in the hospitality industry, multiple class-action lawsuits are filed immediately as the attack is not just on the internal system of the hotel but a huge amount of personal data of the customers is compromised. Penalties under many acts are incurred including under GDPR. It cannot be stressed enough that legal and regulatory problems bring their own complications and issues. The penalties are bound to be heavy. Several countries in the world have passed legal Acts like GDPR, PIPEDA, etc. for the protection of data and privacy.

  • Gaining a perception towards data security and privacy: Data security and data privacy goes a long way from just data risk management and compliance. It can be said that data security and privacy come with a whole new world of possibilities that could aid in the business objectives of the hotel. Factors like personalized services, economic interests can be strategized and developed into well-defined business goals. Such planning must be done with the joint consent of the top management and the internal compliance authorities of the hotel. Data security and privacy must be viewed as a major aspect of the management of the hotel so as to gain different perspectives and put to optimum usage.

Types of Attacks and top ways to prevent i t:

  • Phishing attacks:

The challenge: Phishing is one of the oldest types of cyber-attack, but still the most used technique. Phishing attacks can enable the aimed victim to do the activity desired by the attacker, from sharing information to authorizing transactions. The term phishing means sending or receiving spoofed emails which aim at tricking the victim and enabling them to reveal sensitive information. In most cases, this sensitive information is passwords or financial information and in the hospitality industry, it is aimed at the most authoritative personnel.

Solution: Phishing has been prevalent for many years now. Although several comprehensive security awareness training programmes have been developed across industries, the training regime for the hospitality industry requires exclusive methodology. Instead of opting for only audio-video training material, going a step ahead and providing real life scenario training proves to be more effective. To give a glimpse of how it is to be on the scene of an attack or at the receiving end of an attack helps.

  • Ransomware Attacks

The challenge: Research suggests that the hospitality industry has incurred huge losses due to Ransomware attacks like “WannaCry”, with each hotel losing close to $17,000. The intention behind a ransomware attack is usually to gain financial profit in return for letting the victim have a ransomware-free system.

Solution: When it comes to Ransomware attacks, safe surfing is the key. And when it comes to safe surfing, it is to be taken seriously by all parties in focus from the internal staff to the travelers. Mere training does not help as ransomware requires constant practice of caution, hence adequate awareness must be constantly present in the hotel property. Steps like checking the security of the websites visited before providing credentials, pop-up disabling, verifying the security of the applications downloaded in personal devices must be practiced.

  • DDoS

The challenge: DDoS refers to Distributed Denial of Service attack. DDoS is a prevalent form of attack used across the world in the hospitality industry. It aims at attacking the various internal systems used by a hotel. It is not restricted to just the computer systems or databases present in the property, but any internal system from the automated sprinkler system or cleaning system to the security cameras in the surveillance system. DDoS can gain access to the complete system in the hotel through these access points and crash down the whole system.

Solution: An intrusion detection system is an immediate solution to block access. An intrusion detection system does a dynamic analysis of all probabilities towards attacks, suspicious activities, and breaches in the internal systems by identifying existing system errors, availability, and confidentiality of data.

  • PoS Attacks

The challenge: PoS refers to a Point-of-Sales attack. This type of attack poses the highest intensity of threat to the hospitality industry as it attacks the vendor in case, instead of attacking the hotel alone. This majorly occurs due to human error or unidentified weak spots in the systems. Media exposure becomes unavoidable in such attacks as it involves a probable financial loss for customers.

Solution: Physical security of systems must be taken seriously. All the equipment in the hotel property must be kept updated and networks must be secured with high-level restriction in access. Staff must practice hygienic cyber behaviour. This must reflect in day-to-day routine activities like password sharing, maintaining an orderly work-desk, filing and securing sensitive documents in safe systems, handling customer identification documents.

  • Dark Hotel hacking method

The challenge: This type of attack was first reported in 2007. Here the attacker targets the networks which can provide access to guest information, like a Wi-Fi network. The hotel server is first hacked with a code that provokes the guest network to download software.

Solution: Investing in high-quality cyber security software and firewall can prove effective in battling Dark Hotel attacks. A firewall system tracks all hardware and software devices, the traffic levels and identifies malware and viruses.

  • Data and identity theft:

The challenge: One of the biggest challenges against data theft is protecting customer information. Stealing and spoofing of identity like credit card information, financial information is a prevalent form of cyber-attack.

Solution: Installing a Biometric system and restricting access. Biometric systems focus on authorization and processes data by storing specific data at the time of usage. Biometric systems use tools like fingerprint recognition, voice recognition, face and retina recognition for identification. This ensures access limitation and protection of the entire system.


Strengthening information security towards cyber resilience

One needs to build a rigid cybersecurity posture on two fronts while combating cybersecurity in the hospitality domain

  • Inherent risks and security risks

  • Financial and Legal risks

Inherent risks and security risks

  1. Attain all the necessary baseline requirements: Being your best with the basics is always the key. These include implementing security controls for data and services, secure internet and network connections, anti-virus, and malware tools.
  2. Preparedness: Data breach attempts are inevitable. Too many critical factors and digital entry points and security awareness is too little. We need an adequate incident response. Regular systems audits and checks can help in timely action and corrections in the defenses.
  3. Awareness: Cyber threatscape is ever-evolving. Hence, we need to be updated on the latest incidents, malware, and a thorough cyber awareness session is to be conducted for all employees. Cyber security is not just the responsibility of the IT department but of every employee dealing with data and information.

Financial and legal risks

  1. Advisory services: A strong legal department or consultant also helps in gaining knowledge of the legislation in place and improving employees’ awareness.
  2. Insurance: Insuring against revenue loss and for compensation to be paid can help companies deal with the financial ramifications of successful attacks.

Cyber resilience will ensure the good health of the company. There may come a time in the near future when customers and patrons check the cyber security policy of a company and then choose to be associated with it. Research suggests that cyber security should be made mandatory as a regulation.

26th October, 2021 | Risk Management | Posted by QRC Assurance

Get Free Consultation